Compliance executives have been more concerned about whistleblowers ever since the Securities and Exchange Commission opened its Whistleblower Office in 2012 to process tips from individuals deep inside companies. Now those executives may be the ones blowing the whistle.

That’s because regulators are dangling the carrot of a big pay day in front of compliance officers and auditors for reporting misconduct at their companies.

The Securities and Exchange Commission proudly announced it has given its first whistleblower award to “a company employee who performed audit and compliance functions.” The $300,000 jackpot was to reward the individual for reporting concerns to the SEC when the company failed to take action on those same reports internally. The SEC’s order granting the whistleblower’s claim gives no detail on the nature of the misconduct, the company where it occurred, or the identity of the whistleblower, all of which is meant to assure that the person cannot be identified.

The order indicates that the whistleblower reported a problem internally, then took it to the SEC when the company failed to act, which led to an investigation and an enforcement action. The order grants the whistleblower 20 percent of the sanctions the SEC is collecting in its enforcement action against the company.

“I definitely think the SEC is trying to send a message with this, and on some levels it’s troubling to the employer base I represent. We would expect these people to be the eyes and ears to look out for these very problems for us.”
Gregory Keating, Shareholder, Littler Mendelson

Sean McKessy, chief of the SEC’s whistleblower office, wants auditors and compliance officers to know that he’s happy to take their phone call. “Individuals who perform internal audit, compliance, and legal functions for companies are on the front lines in the battle against fraud and corruption,” he said in a statement. “They often are privy to the very kinds of specific, timely, and credible information that can prevent an imminent fraud or stop an ongoing one. These individuals may be eligible for an SEC whistleblower award if their companies fail to take appropriate, timely action on information they first reported internally.”

The award is striking a nerve among legal experts about the extent to which those front-line compliance and audit professionals are or should be eligible for whistleblower awards. “I definitely think the SEC is trying to send a message with this,” says Gregory Keating, a shareholder with law firm Littler Mendelson and co-chair of the firm’s whistleblowing and retaliation practice. “And on some levels it’s troubling to the employer base I represent. We would expect these people to be the eyes and ears to look out for these very problems for us.”

Under controversial rules establishing the SEC’s whistleblower program—which was part of the Dodd-Frank Act—anyone with original information on corporate misdeeds can report them directly to the SEC and become eligible for a whistleblower award of 10 to 30 percent of any money the SEC might collect under an enforcement action. Companies protested the allowance of whistleblowers to go directly to the SEC before reporting matters internally, but to no avail.

Strings Attached

The rules do not apply in the same way, however, to compliance and audit professionals, says Allegra Lawrence-Hardy, a partner with law firm Sutherland, Asbill & Brennan. “Under the regulations, there are exceptions to the general rule that would preclude whistleblower awards for employees whose duties include compliance and internal audit,” she says.

If someone in that capacity reports a matter internally but sees no action in 120 days, they are eligible to become an SEC whistleblower. And they are eligible without waiting the 120 days if they believe that getting the SEC involved is necessary to prevent something that would cause great harm to the company or its investors, or if they believe the company is doing something meant to impede an investigation of the misconduct. That means companies are now reminded that 120 days is an important window for action, says Lawrence-Hardy. “It’s a really important reminder of the need for prompt action,” she says.

The SEC believes 120 days is a reasonable amount of time for companies to at least initiate action on a credible tip, especially if it comes from the internal audit or compliance office, says David Wilson, a partner with Thompson Hine. “The job of internal audit is to report internally,” he says. “The takeaway is that companies need to take these complaints very seriously. You have to act quickly to separate the wheat from the chaff.”

Jeff Alberts, a partner with law firm Pryor Cashman and a former assistant U.S. attorney in New York, says it’s clear the SEC intended to send a message with its latest whistleblower award. “They want to make sure compliance professionals understand that this opportunity is available to them,” he says. “They are potentially the most valuable whistleblowers. Second, the SEC wants to let companies know they need to act swiftly to complaints that are made. Companies need to focus more aggressively on this 120-day time line.”


Below are the three exceptions in the whistleblower regulation that enable auditors and/or compliance professionals to become whistleblowers:

You have a reasonable basis to believe that disclosure of the information to the Commission is necessary to prevent the relevant entity from engaging in conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors;

You have a reasonable basis to believe that the relevant entity is engaging in conduct that will impede an investigation of the misconduct; or

At least 120 days have elapsed since you provided the information to the relevant entity's audit committee, chief legal officer, chief compliance officer (or their equivalents), or your supervisor, or since you received the information, if you received it under circumstances indicating that the entity's audit committee, chief legal officer, chief compliance officer (or their equivalents), or your supervisor was already aware of the information.
Source: Cornell University Law School.

Andrew Rainer, of counsel with law firm Brody, Hardoon, Perkins & Kesten, says the SEC whistleblower program doesn’t appear to treat external auditors differently from internal auditors as prospective whistleblowers. However, external auditors would report serious concerns directly to the audit committee, where there’s naturally more leverage to get action. “If that happens, the chances of a company policing itself go up dramatically,” he says. “It’s different for an internal auditor or an employee who often feels constrained to go up the chain.”

The decision to become a whistleblower for an outside auditor is likely more difficult, says Diana Lloyd, practice group leader at law firm Choate, Hall & Stewart. “The practical question going forward appears to be how outside auditors will weigh the value of a potential whistleblower award against the potential reputational risk associated with turning in a client to the SEC,” she says. “In theory, the identity of whistleblowers is to remain confidential, but the risk of disclosure cannot be entirely eliminated.”

John Fullerton, a partner with Epstein Becker Green, says the increased focus in recent years on whistleblower issues has raised some thorny issues with respect to retaliation claims that come from compliance and audit professionals. It’s not always clear to employers how to release a compliance or audit professional for reasonable cause without invoking a retaliation claim. “It can be frustrating for a company when a person’s job is to report internally, and then they suffer some kind of adverse employment action,” he says. “The company will say we hired you to report, so we didn’t retaliate against you for reporting. You were fired for some other reason. The law with respect to retaliation protections in auditor functions continues to develop.”